ISO27001 and the Improvement Clause
Clause 10 of ISO27001 Information Security Management Systems (ISMS) is where you get some serious value for your organisation. Along the way to implementing your ISMS you have planned things out, you have implemented your information security management policy, implemented various new processes and systems and in your internal auditing process you checked what you have and what you do not. Now it is time to Act on the gaps, on the findings of your audits and analysis.
Meeting clause 10 means that you have a structured approach to capturing all your non-conformances, corrective actions and of course improvement ideas for your system. It is the clause that really breathes life into your Information Security Management System, it raises the bar time and again. Every time you find an issue, you record it and decide if you need to fix it or not, yep you decide. There will be some things that you uncover or get suggested that really do not make the system better, they can make it harder to use and you want to try and avoid those if you can, but everything else, is gold and you need to mine for it in your audits.
Clause 10.1 Non-Conformity and Corrective Actions
Clause 10.1 of the ISO27001:2018 standard does not leave too much for the user to interpret. The clause starts off with a nice clear "When a nonconformity occurs, the organisation shall", remembering that "shall" is ISO for you must do this. So, what must you do when you find a non-conformance, again it is pretty clear: React to the nonconformity and as applicable 1) Take actions to control 2) correct it Deal with the consequences.
In other words, you need to do something about it but you should do it in a manner that makes sense and is measured in terms of the issue, the size of the organisation and the risk. You also need to evaluate the issue in terms of the risk of it recurring or occurring elsewhere in the organisation or system and so take steps to understand the real cause of the nonconformity. Doing that sounds great right? Yet that is not enough, you also need to identify if similar nonconformities exist or could potentially occur. In other words, you need to look for trends and what other systems or processes may have similar vulnerabilities to the non-conformance. Why would you need not do that? Well, if there is a trend you have an endemic insecurity that needs plugged and you are at risk, your system is not working correctly, and you are exposed. If it has not happened before and you stop there, then you miss the opportunity to identify future vulnerabilities in your Information Security management Systems and avoid any future non-conformances. It is asking you to plug the hole before the leak. By doing this you know how big the problem really is or how big it could be, that way you know the level of response you need to have.
It makes sense then that the next requirement is to implement any action you have determined would be needed. Not content to stop there the standard wants you to progress through the PDCA loop a bit more and review the actions you put in and make sure they were effective (sounds like the Check part of PDCA to me).
From there it takes you to the act part of the loop, it's time to make the changes to your ISMS that you need to as a result of fixing this non-conformance.
Finally, this clause wants you to remember to document things, you need to keep documented information as evidence of the nature of the non-conformance, the actions taken and the results of the corrective action. Which makes sense since no one is going to remember everything that happened and who did what unless you right it down, plus this becomes the history of your system so when future issues come up this is where you will look for the similar issues that we talked about earlier. That means you want to make your documented information easy to search and analysis to easily get the information out you may need.
Types of Non-Conformances
What type of things count as non-conformances in terms of your ISO27001 Information security management System? Luckily the ISO27003:2017 guidance document has some help for you here, I say some what I really mean is a pretty exhaustive list, you can of course add more yourself but there are the types of things you should be classifying as non-conformances:
- Failure to fulfil or correctly implement or conform to a requirement, rule or control stated by your ISMS.
- Partial or total failure to comply with legal, contractual, or agreed customer requirements.
- Persons not behaving as expected by procedures and policies.
- Suppliers not providing agreed products or services.
- Projects not delivering expected outcomes.
- Controls not operating according to design.
- Deficiencies of activities performed in the scope of the management system.
- Ineffective controls that are not re-mediated appropriately.
- Analysis of information security incidents, showing the non-fulfilment of a requirement of the ISMS.
- Complaints from customers.
- Alerts from users or suppliers.
- Monitoring and measurement results not meeting acceptance criteria.
- Objectives not achieved.
Now that may seem like a lot of things but, it is not going to take too much to find things that fall into these categories and once you fix them you keep going. The secret really is to record everything especially things like scams, malware alerts, misuse of devices or password sharing. Things that can also help is monitoring what is happening in the local cyber security environment and what your local government agencies are flagging up. If for example they happen to flag up a malware issue, then you really should look at your systems to see how you could be affected and what you could do within your ISMS to nullify the risk.
Clause 10.2 Continuous Improvement
The final section of ISO27001:2018 is clause 10.2 which is Continuous Improvement. Like other ISO standards ISO27001 for information security management Systems expects you to keep improving your ISMS.
The standard states you should improve suitability, adequacy and effectiveness of your system, so what does that actually means? It means you need to keep looking at your system, at your processes and finding the things that are not quite working as well as you or your team would like. That your system evolves as your organisation and the world around you evolves so that it continues to meet the needs of the interested parties at all times. One of the easiest ways to do this is to involve as many people as possible in your system, talk with people about it as often as you can, hold townhall meetings and virtual summits , make it simple for people to propose improvements and create a culture that is open to anyone challenging the status quo.
Copyright
© Many Caps Consulting | All Rights Reserved
When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.
By accepting you will be accessing a service provided by a third-party external to https://www.test.manycaps.com/
Comments